// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "content/browser/gpu/gpu_process_host.h"

#include <stddef.h>

#include <algorithm>
#include <list>
#include <utility>

#include "base/base64.h"
#include "base/base_switches.h"
#include "base/bind.h"
#include "base/callback_helpers.h"
#include "base/command_line.h"
#include "base/logging.h"
#include "base/macros.h"
#include "base/memory/ptr_util.h"
#include "base/memory/ref_counted.h"
#include "base/metrics/field_trial.h"
#include "base/metrics/histogram_macros.h"
#include "base/sha1.h"
#include "base/threading/thread.h"
#include "base/threading/thread_task_runner_handle.h"
#include "base/trace_event/trace_event.h"
#include "build/build_config.h"
#include "components/tracing/common/tracing_switches.h"
#include "content/browser/browser_child_process_host_impl.h"
#include "content/browser/gpu/compositor_util.h"
#include "content/browser/gpu/gpu_data_manager_impl.h"
#include "content/browser/gpu/gpu_process_host_ui_shim.h"
#include "content/browser/gpu/shader_cache_factory.h"
#include "content/browser/renderer_host/render_widget_host_impl.h"
#include "content/browser/service_manager/service_manager_context.h"
#include "content/common/child_process_host_impl.h"
#include "content/common/establish_channel_params.h"
#include "content/common/gpu_host_messages.h"
#include "content/common/in_process_child_thread_params.h"
#include "content/common/service_manager/child_connection.h"
#include "content/common/view_messages.h"
#include "content/public/browser/browser_thread.h"
#include "content/public/browser/content_browser_client.h"
#include "content/public/browser/gpu_utils.h"
#include "content/public/browser/render_process_host.h"
#include "content/public/browser/render_widget_host_view.h"
#include "content/public/browser/render_widget_host_view_frame_subscriber.h"
#include "content/public/common/connection_filter.h"
#include "content/public/common/content_client.h"
#include "content/public/common/content_switches.h"
#include "content/public/common/mojo_channel_switches.h"
#include "content/public/common/result_codes.h"
#include "content/public/common/sandbox_type.h"
#include "content/public/common/sandboxed_process_launcher_delegate.h"
#include "content/public/common/service_manager_connection.h"
#include "content/public/common/service_names.mojom.h"
#include "gpu/command_buffer/service/gpu_preferences.h"
#include "gpu/command_buffer/service/gpu_switches.h"
#include "gpu/ipc/host/shader_disk_cache.h"
#include "gpu/ipc/service/switches.h"
#include "ipc/ipc_channel_handle.h"
#include "ipc/message_filter.h"
#include "media/base/media_switches.h"
#include "media/media_features.h"
#include "mojo/edk/embedder/embedder.h"
#include "services/service_manager/public/cpp/connection.h"
#include "services/service_manager/public/cpp/interface_provider.h"
#include "services/service_manager/runner/common/client_util.h"
#include "ui/base/ui_base_switches.h"
#include "ui/events/latency_info.h"
#include "ui/gfx/switches.h"
#include "ui/gl/gl_switches.h"

#if defined(OS_ANDROID)
#include "base/android/build_info.h"
#endif

#if defined(OS_WIN)
#include "base/win/windows_version.h"
#include "content/common/sandbox_win.h"
#include "sandbox/win/src/sandbox_policy.h"
#include "ui/gfx/switches.h"
#include "ui/gfx/win/rendering_window_manager.h"
#endif

#if defined(USE_OZONE)
#include "ui/ozone/public/gpu_platform_support_host.h"
#include "ui/ozone/public/ozone_platform.h"
#include "ui/ozone/public/ozone_switches.h"
#endif

#if defined(USE_X11) && !defined(OS_CHROMEOS)
#include "ui/gfx/x/x11_switches.h" // nogncheck
#endif

#if defined(OS_MACOSX) || defined(OS_ANDROID)
#include "gpu/ipc/common/gpu_surface_tracker.h"
#endif

namespace content {

bool GpuProcessHost::gpu_enabled_ = true;
bool GpuProcessHost::hardware_gpu_enabled_ = true;
int GpuProcessHost::gpu_crash_count_ = 0;
int GpuProcessHost::gpu_recent_crash_count_ = 0;
bool GpuProcessHost::crashed_before_ = false;
int GpuProcessHost::swiftshader_crash_count_ = 0;

namespace {

    // Command-line switches to propagate to the GPU process.
    static const char* const kSwitchNames[] = {
        switches::kCreateDefaultGLContext,
        switches::kDisableAcceleratedVideoDecode,
        switches::kDisableBreakpad,
        switches::kDisableES3GLContext,
        switches::kDisableGpuSandbox,
        switches::kDisableGpuWatchdog,
        switches::kDisableGLExtensions,
        switches::kDisableLogging,
        switches::kDisableSeccompFilterSandbox,
#if BUILDFLAG(ENABLE_WEBRTC)
        switches::kDisableWebRtcHWEncoding,
#endif
#if defined(OS_WIN)
        switches::kEnableAcceleratedVpxDecode,
#endif
        switches::kEnableHeapProfiling,
        switches::kEnableLogging,
#if defined(OS_CHROMEOS)
        switches::kDisableVaapiAcceleratedVideoEncode,
#endif
        switches::kGpuDriverBugWorkarounds,
        switches::kGpuStartupDialog,
        switches::kGpuSandboxAllowSysVShm,
        switches::kGpuSandboxFailuresFatal,
        switches::kGpuSandboxStartEarly,
        switches::kHeadless,
        switches::kLoggingLevel,
        switches::kEnableLowEndDeviceMode,
        switches::kDisableLowEndDeviceMode,
        switches::kNoSandbox,
        switches::kProfilerTiming,
        switches::kTestGLLib,
        switches::kTraceConfigFile,
        switches::kTraceStartup,
        switches::kTraceToConsole,
        switches::kUseGpuInTests,
        switches::kV,
        switches::kVModule,
#if defined(OS_MACOSX)
        switches::kDisableAVFoundationOverlays,
        switches::kDisableRemoteCoreAnimation,
        switches::kEnableSandboxLogging,
        switches::kShowMacOverlayBorders,
#endif
#if defined(USE_OZONE)
        switches::kOzonePlatform,
#endif
#if defined(USE_X11) && !defined(OS_CHROMEOS)
        switches::kX11Display,
#endif
        switches::kGpuTestingGLVendor,
        switches::kGpuTestingGLRenderer,
        switches::kGpuTestingGLVersion,
        switches::kDisableGpuDriverBugWorkarounds,
        switches::kUsePassthroughCmdDecoder
    };

    enum GPUProcessLifetimeEvent {
        LAUNCHED,
        DIED_FIRST_TIME,
        DIED_SECOND_TIME,
        DIED_THIRD_TIME,
        DIED_FOURTH_TIME,
        GPU_PROCESS_LIFETIME_EVENT_MAX = 100
    };

    // Indexed by GpuProcessKind. There is one of each kind maximum. This array may
    // only be accessed from the IO thread.
    GpuProcessHost* g_gpu_process_hosts[GpuProcessHost::GPU_PROCESS_KIND_COUNT];

    void SendGpuProcessMessage(GpuProcessHost::GpuProcessKind kind,
        bool force_create,
        IPC::Message* message)
    {
        GpuProcessHost* host = GpuProcessHost::Get(kind, force_create);
        if (host) {
            host->Send(message);
        } else {
            delete message;
        }
    }

#if defined(USE_OZONE)
    void SendGpuProcessMessageByHostId(int host_id, IPC::Message* message)
    {
        GpuProcessHost* host = GpuProcessHost::FromID(host_id);
        if (host) {
            host->Send(message);
        } else {
            delete message;
        }
    }
#endif

    // NOTE: changes to this class need to be reviewed by the security team.
    class GpuSandboxedProcessLauncherDelegate
        : public SandboxedProcessLauncherDelegate {
    public:
        explicit GpuSandboxedProcessLauncherDelegate(
            const base::CommandLine& cmd_line)
#if defined(OS_WIN)
            : cmd_line_(cmd_line)
#endif
        {
        }

        ~GpuSandboxedProcessLauncherDelegate() override { }

#if defined(OS_WIN)
        bool ShouldSandbox() override
        {
            bool sandbox = !cmd_line_.HasSwitch(switches::kDisableGpuSandbox);
            if (!sandbox) {
                DVLOG(1) << "GPU sandbox is disabled";
            }
            return sandbox;
        }

        bool DisableDefaultPolicy() override
        {
            return true;
        }

        // For the GPU process we gotten as far as USER_LIMITED. The next level
        // which is USER_RESTRICTED breaks both the DirectX backend and the OpenGL
        // backend. Note that the GPU process is connected to the interactive
        // desktop.
        bool PreSpawnTarget(sandbox::TargetPolicy* policy) override
        {
            if (base::win::GetVersion() > base::win::VERSION_XP) {
                if (cmd_line_.GetSwitchValueASCII(switches::kUseGL) == gl::kGLImplementationDesktopName) {
                    // Open GL path.
                    policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
                        sandbox::USER_LIMITED);
                    SetJobLevel(cmd_line_, sandbox::JOB_UNPROTECTED, 0, policy);
                    policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
                } else {
                    policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
                        sandbox::USER_LIMITED);

                    // UI restrictions break when we access Windows from outside our job.
                    // However, we don't want a proxy window in this process because it can
                    // introduce deadlocks where the renderer blocks on the gpu, which in
                    // turn blocks on the browser UI thread. So, instead we forgo a window
                    // message pump entirely and just add job restrictions to prevent child
                    // processes.
                    SetJobLevel(cmd_line_,
                        sandbox::JOB_LIMITED_USER,
                        JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS | JOB_OBJECT_UILIMIT_DESKTOP | JOB_OBJECT_UILIMIT_EXITWINDOWS | JOB_OBJECT_UILIMIT_DISPLAYSETTINGS,
                        policy);

                    policy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
                }
            } else {
                SetJobLevel(cmd_line_, sandbox::JOB_UNPROTECTED, 0, policy);
                policy->SetTokenLevel(sandbox::USER_UNPROTECTED,
                    sandbox::USER_LIMITED);
            }

            // Allow the server side of GPU sockets, which are pipes that have
            // the "chrome.gpu" namespace and an arbitrary suffix.
            sandbox::ResultCode result = policy->AddRule(
                sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
                sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
                L"\\\\.\\pipe\\chrome.gpu.*");
            if (result != sandbox::SBOX_ALL_OK)
                return false;

            // Block this DLL even if it is not loaded by the browser process.
            policy->AddDllToUnload(L"cmsetac.dll");

            if (cmd_line_.HasSwitch(switches::kEnableLogging)) {
                base::string16 log_file_path = logging::GetLogFileFullPath();
                if (!log_file_path.empty()) {
                    result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
                        sandbox::TargetPolicy::FILES_ALLOW_ANY,
                        log_file_path.c_str());
                    if (result != sandbox::SBOX_ALL_OK)
                        return false;
                }
            }

            return true;
        }
#endif // OS_WIN

        SandboxType GetSandboxType() override
        {
            return SANDBOX_TYPE_GPU;
        }

    private:
#if defined(OS_WIN)
        base::CommandLine cmd_line_;
#endif // OS_WIN
    };

    void HostLoadedShader(int host_id,
        const std::string& key,
        const std::string& data)
    {
        GpuProcessHost* host = GpuProcessHost::FromID(host_id);
        if (host)
            host->LoadedShader(key, data);
    }

} // anonymous namespace

class GpuProcessHost::ConnectionFilterImpl : public ConnectionFilter {
public:
    ConnectionFilterImpl(GpuProcessHost* host)
        : host_(host)
    {
    }

private:
    // ConnectionFilter:
    bool OnConnect(const service_manager::Identity& remote_identity,
        service_manager::InterfaceRegistry* registry,
        service_manager::Connector* connector) override
    {
        if (remote_identity.name() != mojom::kGpuServiceName)
            return false;

        GetContentClient()->browser()->ExposeInterfacesToGpuProcess(registry,
            host_);
        return true;
    }

    GpuProcessHost* host_;

    DISALLOW_COPY_AND_ASSIGN(ConnectionFilterImpl);
};

// static
bool GpuProcessHost::ValidateHost(GpuProcessHost* host)
{
    // The Gpu process is invalid if it's not using SwiftShader, the card is
    // blacklisted, and we can kill it and start over.
    if (base::CommandLine::ForCurrentProcess()->HasSwitch(
            switches::kSingleProcess)
        || base::CommandLine::ForCurrentProcess()->HasSwitch(
            switches::kInProcessGPU)
        || (host->valid_ && (host->swiftshader_rendering_ || !GpuDataManagerImpl::GetInstance()->ShouldUseSwiftShader()))) {
        return true;
    }

    host->ForceShutdown();
    return false;
}

// static
GpuProcessHost* GpuProcessHost::Get(GpuProcessKind kind, bool force_create)
{
    DCHECK(!service_manager::ServiceManagerIsRemote());
    DCHECK_CURRENTLY_ON(BrowserThread::IO);

    // Don't grant further access to GPU if it is not allowed.
    GpuDataManagerImpl* gpu_data_manager = GpuDataManagerImpl::GetInstance();
    DCHECK(gpu_data_manager);
    if (!gpu_data_manager->GpuAccessAllowed(NULL))
        return NULL;

    if (g_gpu_process_hosts[kind] && ValidateHost(g_gpu_process_hosts[kind]))
        return g_gpu_process_hosts[kind];

    if (!force_create)
        return nullptr;

    static int last_host_id = 0;
    int host_id;
    host_id = ++last_host_id;

    GpuProcessHost* host = new GpuProcessHost(host_id, kind);
    if (host->Init())
        return host;

    // TODO(sievers): Revisit this behavior. It's not really a crash, but we also
    // want the fallback-to-sw behavior if we cannot initialize the GPU.
    host->RecordProcessCrash();

    delete host;
    return NULL;
}

// static
void GpuProcessHost::GetProcessHandles(
    const GpuDataManager::GetGpuProcessHandlesCallback& callback)
{
    if (!BrowserThread::CurrentlyOn(BrowserThread::IO)) {
        BrowserThread::PostTask(
            BrowserThread::IO,
            FROM_HERE,
            base::Bind(&GpuProcessHost::GetProcessHandles, callback));
        return;
    }
    std::list<base::ProcessHandle> handles;
    for (size_t i = 0; i < arraysize(g_gpu_process_hosts); ++i) {
        // TODO(rvargas) crbug/417532: don't store ProcessHandles!.
        GpuProcessHost* host = g_gpu_process_hosts[i];
        if (host && ValidateHost(host))
            handles.push_back(host->process_->GetProcess().Handle());
    }
    BrowserThread::PostTask(
        BrowserThread::UI,
        FROM_HERE,
        base::Bind(callback, handles));
}

// static
void GpuProcessHost::SendOnIO(GpuProcessKind kind,
    bool force_create,
    IPC::Message* message)
{
    if (!BrowserThread::PostTask(
            BrowserThread::IO, FROM_HERE,
            base::Bind(&SendGpuProcessMessage, kind, force_create, message))) {
        delete message;
    }
}

GpuMainThreadFactoryFunction g_gpu_main_thread_factory = NULL;

GpuProcessHost::EstablishChannelRequest::EstablishChannelRequest()
    : client_id(0)
{
}

GpuProcessHost::EstablishChannelRequest::EstablishChannelRequest(
    const EstablishChannelRequest& other)
    = default;

GpuProcessHost::EstablishChannelRequest::~EstablishChannelRequest() { }

void GpuProcessHost::RegisterGpuMainThreadFactory(
    GpuMainThreadFactoryFunction create)
{
    g_gpu_main_thread_factory = create;
}

service_manager::InterfaceProvider* GpuProcessHost::GetRemoteInterfaces()
{
    return process_->child_connection()->GetRemoteInterfaces();
}

// static
GpuProcessHost* GpuProcessHost::FromID(int host_id)
{
    DCHECK_CURRENTLY_ON(BrowserThread::IO);

    for (int i = 0; i < GPU_PROCESS_KIND_COUNT; ++i) {
        GpuProcessHost* host = g_gpu_process_hosts[i];
        if (host && host->host_id_ == host_id && ValidateHost(host))
            return host;
    }

    return NULL;
}

GpuProcessHost::GpuProcessHost(int host_id, GpuProcessKind kind)
    : host_id_(host_id)
    , valid_(true)
    , in_process_(false)
    , swiftshader_rendering_(false)
    , kind_(kind)
    , process_launched_(false)
    , initialized_(false)
{
    if (base::CommandLine::ForCurrentProcess()->HasSwitch(
            switches::kSingleProcess)
        || base::CommandLine::ForCurrentProcess()->HasSwitch(
            switches::kInProcessGPU)) {
        in_process_ = true;
    }

    // If the 'single GPU process' policy ever changes, we still want to maintain
    // it for 'gpu thread' mode and only create one instance of host and thread.
    DCHECK(!in_process_ || g_gpu_process_hosts[kind] == NULL);

    g_gpu_process_hosts[kind] = this;

    // Post a task to create the corresponding GpuProcessHostUIShim.  The
    // GpuProcessHostUIShim will be destroyed if either the browser exits,
    // in which case it calls GpuProcessHostUIShim::DestroyAll, or the
    // GpuProcessHost is destroyed, which happens when the corresponding GPU
    // process terminates or fails to launch.
    BrowserThread::PostTask(
        BrowserThread::UI,
        FROM_HERE,
        base::Bind(base::IgnoreResult(&GpuProcessHostUIShim::Create), host_id));

    process_.reset(new BrowserChildProcessHostImpl(
        PROCESS_TYPE_GPU, this, mojom::kGpuServiceName));
}

GpuProcessHost::~GpuProcessHost()
{
    DCHECK(CalledOnValidThread());

    SendOutstandingReplies();

    // In case we never started, clean up.
    while (!queued_messages_.empty()) {
        delete queued_messages_.front();
        queued_messages_.pop();
    }

    // This is only called on the IO thread so no race against the constructor
    // for another GpuProcessHost.
    if (g_gpu_process_hosts[kind_] == this)
        g_gpu_process_hosts[kind_] = NULL;

#if defined(OS_MACOSX) || defined(OS_ANDROID)
    UMA_HISTOGRAM_COUNTS_100("GPU.AtExitSurfaceCount",
        gpu::GpuSurfaceTracker::Get()->GetSurfaceCount());
#endif

    std::string message;
    bool block_offscreen_contexts = true;
    if (!in_process_) {
        int exit_code;
        base::TerminationStatus status = process_->GetTerminationStatus(
            false /* known_dead */, &exit_code);
        UMA_HISTOGRAM_ENUMERATION("GPU.GPUProcessTerminationStatus",
            status,
            base::TERMINATION_STATUS_MAX_ENUM);

        if (status == base::TERMINATION_STATUS_NORMAL_TERMINATION || status == base::TERMINATION_STATUS_ABNORMAL_TERMINATION || status == base::TERMINATION_STATUS_PROCESS_CRASHED) {
            // Windows always returns PROCESS_CRASHED on abnormal termination, as it
            // doesn't have a way to distinguish the two.
            UMA_HISTOGRAM_ENUMERATION("GPU.GPUProcessExitCode",
                exit_code,
                RESULT_CODE_LAST_CODE);
        }

        switch (status) {
        case base::TERMINATION_STATUS_NORMAL_TERMINATION:
            // Don't block offscreen contexts (and force page reload for webgl)
            // if this was an intentional shutdown or the OOM killer on Android
            // killed us while Chrome was in the background.
// TODO(crbug.com/598400): Restrict this to Android for now, since other
// platforms might fall through here for the 'exit_on_context_lost' workaround.
#if defined(OS_ANDROID)
            block_offscreen_contexts = false;
#endif
            message = "The GPU process exited normally. Everything is okay.";
            break;
        case base::TERMINATION_STATUS_ABNORMAL_TERMINATION:
            message = base::StringPrintf(
                "The GPU process exited with code %d.",
                exit_code);
            break;
        case base::TERMINATION_STATUS_PROCESS_WAS_KILLED:
            message = "You killed the GPU process! Why?";
            break;
#if defined(OS_CHROMEOS)
        case base::TERMINATION_STATUS_PROCESS_WAS_KILLED_BY_OOM:
            message = "The GUP process was killed due to out of memory.";
            break;
#endif
        case base::TERMINATION_STATUS_PROCESS_CRASHED:
            message = "The GPU process crashed!";
            break;
        case base::TERMINATION_STATUS_LAUNCH_FAILED:
            message = "The GPU process failed to start!";
            break;
        default:
            break;
        }
    }

    // If there are any remaining offscreen contexts at the point the
    // GPU process exits, assume something went wrong, and block their
    // URLs from accessing client 3D APIs without prompting.
    if (block_offscreen_contexts)
        BlockLiveOffscreenContexts();

    BrowserThread::PostTask(BrowserThread::UI,
        FROM_HERE,
        base::Bind(&GpuProcessHostUIShim::Destroy,
            host_id_,
            message));
}

bool GpuProcessHost::Init()
{
    init_start_time_ = base::TimeTicks::Now();

    TRACE_EVENT_INSTANT0("gpu", "LaunchGpuProcess", TRACE_EVENT_SCOPE_THREAD);

    // May be null during test execution.
    if (ServiceManagerConnection::GetForProcess()) {
        ServiceManagerConnection::GetForProcess()->AddConnectionFilter(
            base::MakeUnique<ConnectionFilterImpl>(this));
    }

    process_->GetHost()->CreateChannelMojo();

    gpu::GpuPreferences gpu_preferences = GetGpuPreferencesFromCommandLine();
    if (in_process_) {
        DCHECK_CURRENTLY_ON(BrowserThread::IO);
        DCHECK(g_gpu_main_thread_factory);
        in_process_gpu_thread_.reset(g_gpu_main_thread_factory(
            InProcessChildThreadParams(
                base::ThreadTaskRunnerHandle::Get(),
                process_->child_connection()->service_token()),
            gpu_preferences));
        base::Thread::Options options;
#if defined(OS_WIN)
        // WGL needs to create its own window and pump messages on it.
        options.message_loop_type = base::MessageLoop::TYPE_UI;
#endif
#if defined(OS_ANDROID) || defined(OS_CHROMEOS)
        options.priority = base::ThreadPriority::DISPLAY;
#endif
        in_process_gpu_thread_->StartWithOptions(options);

        OnProcessLaunched(); // Fake a callback that the process is ready.
    } else if (!LaunchGpuProcess(&gpu_preferences)) {
        return false;
    }

    process_->child_channel()
        ->GetAssociatedInterfaceSupport()
        ->GetRemoteAssociatedInterface(&gpu_main_ptr_);

    if (!Send(new GpuMsg_Initialize(gpu_preferences)))
        return false;

#if defined(USE_OZONE)
    // Ozone needs to send the primary DRM device to GPU process as early as
    // possible to ensure the latter always has a valid device. crbug.com/608839
    ui::OzonePlatform::GetInstance()
        ->GetGpuPlatformSupportHost()
        ->OnGpuProcessLaunched(
            host_id_, BrowserThread::GetTaskRunnerForThread(BrowserThread::IO),
            base::Bind(&SendGpuProcessMessageByHostId, host_id_));
#endif

    return true;
}

void GpuProcessHost::RouteOnUIThread(const IPC::Message& message)
{
    BrowserThread::PostTask(
        BrowserThread::UI,
        FROM_HERE,
        base::Bind(&RouteToGpuProcessHostUIShimTask, host_id_, message));
}

bool GpuProcessHost::Send(IPC::Message* msg)
{
    DCHECK(CalledOnValidThread());
    if (process_->GetHost()->IsChannelOpening()) {
        queued_messages_.push(msg);
        return true;
    }

    bool result = process_->Send(msg);
    if (!result) {
        // Channel is hosed, but we may not get destroyed for a while. Send
        // outstanding channel creation failures now so that the caller can restart
        // with a new process/channel without waiting.
        SendOutstandingReplies();
    }
    return result;
}

void GpuProcessHost::AddFilter(IPC::MessageFilter* filter)
{
    DCHECK(CalledOnValidThread());
    process_->GetHost()->AddFilter(filter);
}

bool GpuProcessHost::OnMessageReceived(const IPC::Message& message)
{
    DCHECK(CalledOnValidThread());
    IPC_BEGIN_MESSAGE_MAP(GpuProcessHost, message)
    IPC_MESSAGE_HANDLER(GpuHostMsg_Initialized, OnInitialized)
    IPC_MESSAGE_HANDLER(GpuHostMsg_ChannelEstablished, OnChannelEstablished)
    IPC_MESSAGE_HANDLER(GpuHostMsg_GpuMemoryBufferCreated,
        OnGpuMemoryBufferCreated)
#if defined(OS_ANDROID)
    IPC_MESSAGE_HANDLER(GpuHostMsg_DestroyingVideoSurfaceAck,
        OnDestroyingVideoSurfaceAck)
#endif
    IPC_MESSAGE_HANDLER(GpuHostMsg_DidCreateOffscreenContext,
        OnDidCreateOffscreenContext)
    IPC_MESSAGE_HANDLER(GpuHostMsg_DidLoseContext, OnDidLoseContext)
    IPC_MESSAGE_HANDLER(GpuHostMsg_DidDestroyOffscreenContext,
        OnDidDestroyOffscreenContext)
    IPC_MESSAGE_HANDLER(GpuHostMsg_DestroyChannel, OnDestroyChannel)
    IPC_MESSAGE_HANDLER(GpuHostMsg_CacheShader, OnCacheShader)
#if defined(OS_WIN)
    IPC_MESSAGE_HANDLER(GpuHostMsg_AcceleratedSurfaceCreatedChildWindow,
        OnAcceleratedSurfaceCreatedChildWindow)
#endif
    IPC_MESSAGE_HANDLER(GpuHostMsg_FieldTrialActivated, OnFieldTrialActivated);
    IPC_MESSAGE_UNHANDLED(RouteOnUIThread(message))
    IPC_END_MESSAGE_MAP()

    return true;
}

#if defined(OS_WIN)
void GpuProcessHost::OnAcceleratedSurfaceCreatedChildWindow(
    gpu::SurfaceHandle parent_handle,
    gpu::SurfaceHandle window_handle)
{
    constexpr char kBadMessageError[] = "Bad parenting request from gpu process.";
    if (!in_process_) {
        DCHECK(process_);
        {
            DWORD process_id = 0;
            DWORD thread_id = GetWindowThreadProcessId(parent_handle, &process_id);

            if (!thread_id || process_id != ::GetCurrentProcessId()) {
                process_->TerminateOnBadMessageReceived(kBadMessageError);
                return;
            }
        }

        {
            DWORD process_id = 0;
            DWORD thread_id = GetWindowThreadProcessId(window_handle, &process_id);

            if (!thread_id || process_id != process_->GetProcess().Pid()) {
                process_->TerminateOnBadMessageReceived(kBadMessageError);
                return;
            }
        }
    }

    if (!gfx::RenderingWindowManager::GetInstance()->RegisterChild(
            parent_handle, window_handle)) {
        process_->TerminateOnBadMessageReceived(kBadMessageError);
    }
}
#endif

void GpuProcessHost::OnChannelConnected(int32_t peer_pid)
{
    TRACE_EVENT0("gpu", "GpuProcessHost::OnChannelConnected");

    while (!queued_messages_.empty()) {
        Send(queued_messages_.front());
        queued_messages_.pop();
    }
}

void GpuProcessHost::EstablishGpuChannel(
    int client_id,
    uint64_t client_tracing_id,
    bool preempts,
    bool allow_view_command_buffers,
    bool allow_real_time_streams,
    const EstablishChannelCallback& callback)
{
    DCHECK(CalledOnValidThread());
    TRACE_EVENT0("gpu", "GpuProcessHost::EstablishGpuChannel");

    // If GPU features are already blacklisted, no need to establish the channel.
    if (!GpuDataManagerImpl::GetInstance()->GpuAccessAllowed(NULL)) {
        DVLOG(1) << "GPU blacklisted, refusing to open a GPU channel.";
        callback.Run(IPC::ChannelHandle(), gpu::GPUInfo());
        return;
    }

    EstablishChannelParams params;
    params.client_id = client_id;
    params.client_tracing_id = client_tracing_id;
    params.preempts = preempts;
    params.allow_view_command_buffers = allow_view_command_buffers;
    params.allow_real_time_streams = allow_real_time_streams;
    if (Send(new GpuMsg_EstablishChannel(params))) {
        EstablishChannelRequest request;
        request.client_id = client_id;
        request.callback = callback;
        channel_requests_.push(request);
    } else {
        DVLOG(1) << "Failed to send GpuMsg_EstablishChannel.";
        callback.Run(IPC::ChannelHandle(), gpu::GPUInfo());
    }

    if (!base::CommandLine::ForCurrentProcess()->HasSwitch(
            switches::kDisableGpuShaderDiskCache)) {
        CreateChannelCache(client_id);
    }
}

void GpuProcessHost::CreateGpuMemoryBuffer(
    gfx::GpuMemoryBufferId id,
    const gfx::Size& size,
    gfx::BufferFormat format,
    gfx::BufferUsage usage,
    int client_id,
    gpu::SurfaceHandle surface_handle,
    const CreateGpuMemoryBufferCallback& callback)
{
    TRACE_EVENT0("gpu", "GpuProcessHost::CreateGpuMemoryBuffer");

    DCHECK(CalledOnValidThread());

    GpuMsg_CreateGpuMemoryBuffer_Params params;
    params.id = id;
    params.size = size;
    params.format = format;
    params.usage = usage;
    params.client_id = client_id;
    params.surface_handle = surface_handle;
    if (Send(new GpuMsg_CreateGpuMemoryBuffer(params))) {
        create_gpu_memory_buffer_requests_.push(callback);
    } else {
        callback.Run(gfx::GpuMemoryBufferHandle());
    }
}

void GpuProcessHost::DestroyGpuMemoryBuffer(gfx::GpuMemoryBufferId id,
    int client_id,
    const gpu::SyncToken& sync_token)
{
    TRACE_EVENT0("gpu", "GpuProcessHost::DestroyGpuMemoryBuffer");

    DCHECK(CalledOnValidThread());

    Send(new GpuMsg_DestroyGpuMemoryBuffer(id, client_id, sync_token));
}

#if defined(OS_ANDROID)
void GpuProcessHost::SendDestroyingVideoSurface(int surface_id,
    const base::Closure& done_cb)
{
    TRACE_EVENT0("gpu", "GpuProcessHost::SendDestroyingVideoSurface");
    DCHECK(send_destroying_video_surface_done_cb_.is_null());
    DCHECK(!done_cb.is_null());
    if (Send(new GpuMsg_DestroyingVideoSurface(surface_id))) {
        send_destroying_video_surface_done_cb_ = done_cb;
    } else {
        done_cb.Run();
    }
}
#endif

void GpuProcessHost::OnInitialized(bool result, const gpu::GPUInfo& gpu_info)
{
    UMA_HISTOGRAM_BOOLEAN("GPU.GPUProcessInitialized", result);
    initialized_ = result;
    gpu_info_ = gpu_info;

    if (!initialized_)
        GpuDataManagerImpl::GetInstance()->OnGpuProcessInitFailure();
    else
        GpuDataManagerImpl::GetInstance()->UpdateGpuInfo(gpu_info);
}

void GpuProcessHost::OnChannelEstablished(
    const IPC::ChannelHandle& channel_handle)
{
    TRACE_EVENT0("gpu", "GpuProcessHost::OnChannelEstablished");

    if (channel_requests_.empty()) {
        // This happens when GPU process is compromised.
        RouteOnUIThread(GpuHostMsg_OnLogMessage(
            logging::LOG_WARNING, "WARNING",
            "Received a ChannelEstablished message but no requests in queue."));
        return;
    }
    EstablishChannelRequest request = channel_requests_.front();
    channel_requests_.pop();

    // Currently if any of the GPU features are blacklisted, we don't establish a
    // GPU channel.
    if (channel_handle.mojo_handle.is_valid() && !GpuDataManagerImpl::GetInstance()->GpuAccessAllowed(NULL)) {
        Send(new GpuMsg_CloseChannel(request.client_id));
        request.callback.Run(IPC::ChannelHandle(), gpu::GPUInfo());
        RouteOnUIThread(
            GpuHostMsg_OnLogMessage(logging::LOG_WARNING, "WARNING",
                "Hardware acceleration is unavailable."));
        return;
    }

    request.callback.Run(channel_handle, gpu_info_);
}

void GpuProcessHost::OnGpuMemoryBufferCreated(
    const gfx::GpuMemoryBufferHandle& handle)
{
    TRACE_EVENT0("gpu", "GpuProcessHost::OnGpuMemoryBufferCreated");

    if (create_gpu_memory_buffer_requests_.empty())
        return;

    CreateGpuMemoryBufferCallback callback = create_gpu_memory_buffer_requests_.front();
    create_gpu_memory_buffer_requests_.pop();
    callback.Run(handle);
}

#if defined(OS_ANDROID)
void GpuProcessHost::OnDestroyingVideoSurfaceAck(int surface_id)
{
    TRACE_EVENT0("gpu", "GpuProcessHost::OnDestroyingVideoSurfaceAck");
    if (!send_destroying_video_surface_done_cb_.is_null())
        base::ResetAndReturn(&send_destroying_video_surface_done_cb_).Run();
}
#endif

void GpuProcessHost::OnDidCreateOffscreenContext(const GURL& url)
{
    urls_with_live_offscreen_contexts_.insert(url);
}

void GpuProcessHost::OnDidLoseContext(bool offscreen,
    gpu::error::ContextLostReason reason,
    const GURL& url)
{
    // TODO(kbr): would be nice to see the "offscreen" flag too.
    TRACE_EVENT2("gpu", "GpuProcessHost::OnDidLoseContext",
        "reason", reason,
        "url",
        url.possibly_invalid_spec());

    if (!offscreen || url.is_empty()) {
        // Assume that the loss of the compositor's or accelerated canvas'
        // context is a serious event and blame the loss on all live
        // offscreen contexts. This more robustly handles situations where
        // the GPU process may not actually detect the context loss in the
        // offscreen context.
        BlockLiveOffscreenContexts();
        return;
    }

    GpuDataManagerImpl::DomainGuilt guilt = GpuDataManagerImpl::DOMAIN_GUILT_UNKNOWN;
    switch (reason) {
    case gpu::error::kGuilty:
        guilt = GpuDataManagerImpl::DOMAIN_GUILT_KNOWN;
        break;
    // Treat most other error codes as though they had unknown provenance.
    // In practice this doesn't affect the user experience. A lost context
    // of either known or unknown guilt still causes user-level 3D APIs
    // (e.g. WebGL) to be blocked on that domain until the user manually
    // reenables them.
    case gpu::error::kUnknown:
    case gpu::error::kOutOfMemory:
    case gpu::error::kMakeCurrentFailed:
    case gpu::error::kGpuChannelLost:
    case gpu::error::kInvalidGpuMessage:
        break;
    case gpu::error::kInnocent:
        return;
    }

    GpuDataManagerImpl::GetInstance()->BlockDomainFrom3DAPIs(url, guilt);
}

void GpuProcessHost::OnDidDestroyOffscreenContext(const GURL& url)
{
    urls_with_live_offscreen_contexts_.erase(url);
}

void GpuProcessHost::OnFieldTrialActivated(const std::string& trial_name)
{
    // Activate the trial in the browser process to match its state in the
    // GPU process. This is done by calling FindFullName which finalizes the group
    // and activates the trial.
    base::FieldTrialList::FindFullName(trial_name);
}

void GpuProcessHost::OnProcessLaunched()
{
    UMA_HISTOGRAM_TIMES("GPU.GPUProcessLaunchTime",
        base::TimeTicks::Now() - init_start_time_);
}

void GpuProcessHost::OnProcessLaunchFailed(int error_code)
{
    // TODO(wfh): do something more useful with this error code.
    RecordProcessCrash();
}

void GpuProcessHost::OnProcessCrashed(int exit_code)
{
    SendOutstandingReplies();
    RecordProcessCrash();
    GpuDataManagerImpl::GetInstance()->ProcessCrashed(
        process_->GetTerminationStatus(true /* known_dead */, NULL));
}

GpuProcessHost::GpuProcessKind GpuProcessHost::kind()
{
    return kind_;
}

void GpuProcessHost::ForceShutdown()
{
    // This is only called on the IO thread so no race against the constructor
    // for another GpuProcessHost.
    if (g_gpu_process_hosts[kind_] == this)
        g_gpu_process_hosts[kind_] = NULL;

    process_->ForceShutdown();
}

void GpuProcessHost::StopGpuProcess()
{
    Send(new GpuMsg_Finalize());
}

bool GpuProcessHost::LaunchGpuProcess(gpu::GpuPreferences* gpu_preferences)
{
    const base::CommandLine& browser_command_line = *base::CommandLine::ForCurrentProcess();

    base::CommandLine::StringType gpu_launcher = browser_command_line.GetSwitchValueNative(switches::kGpuLauncher);

#if defined(OS_ANDROID)
    // crbug.com/447735. readlink("self/proc/exe") sometimes fails on Android
    // at startup with EACCES. As a workaround ignore this here, since the
    // executable name is actually not used or useful anyways.
    std::unique_ptr<base::CommandLine> cmd_line = base::MakeUnique<base::CommandLine>(base::CommandLine::NO_PROGRAM);
#else
#if defined(OS_LINUX)
    int child_flags = gpu_launcher.empty() ? ChildProcessHost::CHILD_ALLOW_SELF : ChildProcessHost::CHILD_NORMAL;
#else
    int child_flags = ChildProcessHost::CHILD_NORMAL;
#endif

    base::FilePath exe_path = ChildProcessHost::GetChildPath(child_flags);
    if (exe_path.empty())
        return false;

    std::unique_ptr<base::CommandLine> cmd_line = base::MakeUnique<base::CommandLine>(exe_path);
#endif

    cmd_line->AppendSwitchASCII(switches::kProcessType, switches::kGpuProcess);

    BrowserChildProcessHostImpl::CopyFeatureAndFieldTrialFlags(cmd_line.get());

#if defined(OS_WIN)
    cmd_line->AppendArg(switches::kPrefetchArgumentGpu);
#endif // defined(OS_WIN)

    if (kind_ == GPU_PROCESS_KIND_UNSANDBOXED)
        cmd_line->AppendSwitch(switches::kDisableGpuSandbox);

    // TODO(penghuang): Replace all GPU related switches with GpuPreferences.
    // https://crbug.com/590825
    // If you want a browser command-line switch passed to the GPU process
    // you need to add it to |kSwitchNames| at the beginning of this file.
    cmd_line->CopySwitchesFrom(browser_command_line, kSwitchNames,
        arraysize(kSwitchNames));
    cmd_line->CopySwitchesFrom(
        browser_command_line, switches::kGLSwitchesCopiedFromGpuProcessHost,
        switches::kGLSwitchesCopiedFromGpuProcessHostNumSwitches);

    GetContentClient()->browser()->AppendExtraCommandLineSwitches(
        cmd_line.get(), process_->GetData().id);

    GpuDataManagerImpl::GetInstance()->AppendGpuCommandLine(cmd_line.get(),
        gpu_preferences);
    if (cmd_line->HasSwitch(switches::kUseGL)) {
        swiftshader_rendering_ = (cmd_line->GetSwitchValueASCII(switches::kUseGL) == "swiftshader");
    }

    bool current_gpu_type_enabled = swiftshader_rendering_ ? gpu_enabled_ : hardware_gpu_enabled_;
    if (!current_gpu_type_enabled) {
        SendOutstandingReplies();
        return false;
    }

    UMA_HISTOGRAM_BOOLEAN("GPU.GPUProcessSoftwareRendering",
        swiftshader_rendering_);

    // If specified, prepend a launcher program to the command line.
    if (!gpu_launcher.empty())
        cmd_line->PrependWrapper(gpu_launcher);

    std::unique_ptr<GpuSandboxedProcessLauncherDelegate> delegate = base::MakeUnique<GpuSandboxedProcessLauncherDelegate>(*cmd_line);
    process_->Launch(std::move(delegate), std::move(cmd_line), true);
    process_launched_ = true;

    UMA_HISTOGRAM_ENUMERATION("GPU.GPUProcessLifetimeEvents",
        LAUNCHED, GPU_PROCESS_LIFETIME_EVENT_MAX);
    return true;
}

void GpuProcessHost::SendOutstandingReplies()
{
    valid_ = false;
    // First send empty channel handles for all EstablishChannel requests.
    while (!channel_requests_.empty()) {
        EstablishChannelRequest request = channel_requests_.front();
        channel_requests_.pop();
        request.callback.Run(IPC::ChannelHandle(), gpu::GPUInfo());
    }

    while (!create_gpu_memory_buffer_requests_.empty()) {
        CreateGpuMemoryBufferCallback callback = create_gpu_memory_buffer_requests_.front();
        create_gpu_memory_buffer_requests_.pop();
        callback.Run(gfx::GpuMemoryBufferHandle());
    }

    if (!send_destroying_video_surface_done_cb_.is_null())
        base::ResetAndReturn(&send_destroying_video_surface_done_cb_).Run();
}

void GpuProcessHost::BlockLiveOffscreenContexts()
{
    for (std::multiset<GURL>::iterator iter = urls_with_live_offscreen_contexts_.begin();
         iter != urls_with_live_offscreen_contexts_.end(); ++iter) {
        GpuDataManagerImpl::GetInstance()->BlockDomainFrom3DAPIs(
            *iter, GpuDataManagerImpl::DOMAIN_GUILT_UNKNOWN);
    }
}

void GpuProcessHost::RecordProcessCrash()
{
    // Maximum number of times the GPU process is allowed to crash in a session.
    // Once this limit is reached, any request to launch the GPU process will
    // fail.
    const int kGpuMaxCrashCount = 3;

    // Last time the GPU process crashed.
    static base::Time last_gpu_crash_time;

    bool disable_crash_limit = base::CommandLine::ForCurrentProcess()->HasSwitch(
        switches::kDisableGpuProcessCrashLimit);

    // Ending only acts as a failure if the GPU process was actually started and
    // was intended for actual rendering (and not just checking caps or other
    // options).
    if (process_launched_ && kind_ == GPU_PROCESS_KIND_SANDBOXED) {
        if (swiftshader_rendering_) {
            UMA_HISTOGRAM_ENUMERATION("GPU.SwiftShaderLifetimeEvents",
                DIED_FIRST_TIME + swiftshader_crash_count_,
                GPU_PROCESS_LIFETIME_EVENT_MAX);

            if (++swiftshader_crash_count_ >= kGpuMaxCrashCount && !disable_crash_limit) {
                // SwiftShader is too unstable to use. Disable it for current session.
                gpu_enabled_ = false;
            }
        } else {
            ++gpu_crash_count_;
            UMA_HISTOGRAM_ENUMERATION("GPU.GPUProcessLifetimeEvents",
                std::min(DIED_FIRST_TIME + gpu_crash_count_,
                    GPU_PROCESS_LIFETIME_EVENT_MAX - 1),
                GPU_PROCESS_LIFETIME_EVENT_MAX);

            // Allow about 1 GPU crash per hour to be removed from the crash count,
            // so very occasional crashes won't eventually add up and prevent the
            // GPU process from launching.
            ++gpu_recent_crash_count_;
            base::Time current_time = base::Time::Now();
            if (crashed_before_) {
                int hours_different = (current_time - last_gpu_crash_time).InHours();
                gpu_recent_crash_count_ = std::max(0, gpu_recent_crash_count_ - hours_different);
            }

            crashed_before_ = true;
            last_gpu_crash_time = current_time;

            if ((gpu_recent_crash_count_ >= kGpuMaxCrashCount && !disable_crash_limit) || !initialized_) {
#if !defined(OS_CHROMEOS)
                // The GPU process is too unstable to use. Disable it for current
                // session.
                hardware_gpu_enabled_ = false;
                GpuDataManagerImpl::GetInstance()->DisableHardwareAcceleration();
#endif
            }
        }
    }
}

std::string GpuProcessHost::GetShaderPrefixKey(const std::string& shader)
{
    if (shader_prefix_key_info_.empty()) {
        gpu::GPUInfo info = GpuDataManagerImpl::GetInstance()->GetGPUInfo();

        shader_prefix_key_info_ = GetContentClient()->GetProduct() + "-" +
#if defined(OS_ANDROID)
            base::android::BuildInfo::GetInstance()->android_build_fp() + "-" +
#endif
            info.gl_vendor + "-" + info.gl_renderer + "-" + info.driver_version + "-" + info.driver_vendor;
    }

    // The shader prefix key is a SHA1 hash of a set of per-machine info, such as
    // driver version and os version, as well as the shader data being cached.
    // This ensures both that the shader was not corrupted on disk, as well as
    // that the shader is correctly configured for the current hardware.
    std::string prefix;
    base::Base64Encode(base::SHA1HashString(shader_prefix_key_info_ + shader),
        &prefix);
    return prefix;
}

void GpuProcessHost::LoadedShader(const std::string& key,
    const std::string& data)
{
    std::string prefix = GetShaderPrefixKey(data);
    bool prefix_ok = !key.compare(0, prefix.length(), prefix);
    UMA_HISTOGRAM_BOOLEAN("GPU.ShaderLoadPrefixOK", prefix_ok);
    if (prefix_ok)
        Send(new GpuMsg_LoadedShader(data));
}

void GpuProcessHost::CreateChannelCache(int32_t client_id)
{
    TRACE_EVENT0("gpu", "GpuProcessHost::CreateChannelCache");

    scoped_refptr<gpu::ShaderDiskCache> cache = GetShaderCacheFactorySingleton()->Get(client_id);
    if (!cache.get())
        return;

    cache->set_shader_loaded_callback(base::Bind(&HostLoadedShader, host_id_));

    client_id_to_shader_cache_[client_id] = cache;
}

void GpuProcessHost::OnDestroyChannel(int32_t client_id)
{
    TRACE_EVENT0("gpu", "GpuProcessHost::OnDestroyChannel");
    client_id_to_shader_cache_.erase(client_id);
}

void GpuProcessHost::OnCacheShader(int32_t client_id,
    const std::string& key,
    const std::string& shader)
{
    TRACE_EVENT0("gpu", "GpuProcessHost::OnCacheShader");
    ClientIdToShaderCacheMap::iterator iter = client_id_to_shader_cache_.find(client_id);
    // If the cache doesn't exist then this is an off the record profile.
    if (iter == client_id_to_shader_cache_.end())
        return;
    iter->second->Cache(GetShaderPrefixKey(shader) + ":" + key, shader);
}

} // namespace content
